CCBR Business Review

20 B U S I N E S S T I P S The Essential Eight Multi-Factor Authentication IF YOU READ this column last months, you will now know what makes a strong pass- word. However, what if you follow all of the recommendations and a hacker still discov- ers your password? Did you know there is a technology called multi-factor authenti- cation which can be set up on almost any web service? Multi-factor authentication is a key aspect of the Federal Government’s Essential Eight. You may have heard it referred to as two- factor or even three-factor authentication depending on the web service you are log- ging in to. Multi-factor authentication is different combinations of something you know (your password), something you have (a physical device as a mobile phone) and/or something you are (fingerprint, iris or face). You may well be familiar with this paradigm already as two-factor authentication is pre- cisely how you withdraw money from an ATM. You use something you know (your PIN) in combination with something you have (your ATM card). Did you know you can use multi-factor authentication to access your critical online services too? Using your username and password along with an authenticator app such as the Google Authenticator or Microsoft Authenticator apps available on both Android and iPhone, you can turn your phone into the “something you have”. All major web services support multi-factor authentication such as Facebook, Twitter, Microsoft 365, Google, and the list goes on. Your bank will support multi-factor authen- tication too, but they may opt to use their own app or text message. An important note regarding text mes- sage multi-factor authentication, it has been proven text message multi-factor authentication is not as secure as you may think. Wherever you have the option to use a different method, preferably an app, take it. This is the most secure form of multi- factor authentication. Why not just implement all factors imme- diately? Two reasons, expense and usability. As an I.T. consulting company, we always try to strike the balance between security and usability. Make the system too usable and security will suffer. Make the system too secure and usability will decrease lead- ing to user dissatisfaction. Higher security usually means higher I.T. costs because when changes are made, you will need the I.T. company to be involved to make even the smallest changes. When setting up networks, security is often an afterthought because budget is always a concern. “Just make it work” is a phrase we hear often when we get a brief from a client. Companies should be saying “Just make it secure”. Multi-factor authentication is one of the factors recommended by the Essential Eight. In order to reach maturity level three (the highest compliance level) in the Essential Eight’s multi-factor authentication strategy your business must: 1. Use multi-factor authentication to By Michael Tremblett By Warwick Ryan, Partner, Hicksons Lawyers authenticate all users of remote access solutions. This includes anything that will allow remote access into your network such as VPN services. 2. Multi-factor authentication is used to authenticate all privileged users and any other positions of trust. 3. Multi-factor authentication is used to authenticate all users when accessing important data repositories. 4. Implement at least two of the following authentication factors: passwords, univer- sal second factor security keys, physical one-time password tokens, biometrics or smartcards. Correctly configured multi-factor authen- tication is considered bulletproof for accessing accounts and web services. It is highly recommended to implement this on everything you can because stronger user authentication makes it harder for adver- saries to access sensitive information and systems. About Michael Trimblett Michael has been in the I.T. industry since 1998 and is currently the General Manager of Loyal I.T. Michael holds a Bachelor of Science in Information Technology, is a Cisco Certified Network Associate, a Microsoft Certified Professional, I.T. Infrastructure Library (ITIL) v3 certified and is a Certified Ethical Hacker. As an Ethical Hacker, Michael has legally hacked over eighty servers where the vulnerable serv- ers suffer from poorly patched operating systems, poor internal security policies, poor passwords and poorly programmed software, amongst other vulnerabilities. Michael’s job is to make sure this does not describe your system. Summary of the “Code of Practice: Managing Psychosocial Hazards in the Workplace” One of the emerging areas of exposure for employers in recent years is the responsi- bility imposed upon them under workers compensation legislation for the mental wellbeing of employees. However, the responsibility is not limited to the question of compensation. The obligation upon employers (and more broadly people conducting an undertak- ing or business) pursuant to Work Health & Safety Act, extends to ensuring the mental wellbeing of employees and others. That can be difficult to define. To provide some guidance for businesses and organisations, Safework (NSW) has now implemented a Code of Practice that pro- vides some more guidance. What is a Psychosocial Hazard? Psychosocial Hazards at work are aspects of work and situations that may cause significant stress which in turn can lead to psychological or physical harm. They can arise from stressful or danger- ous jobs or tasks but can also arise in situa- tions where a job or task may be designed, managed or supervised poorly. They can also arise from the environ- ment, equipment, and social situations pre- sent at a workplace that may cause stress or harm. Some of the more obvious causes detailed in the Code of Practice include: • Poor support from supervisors and managers • Workplace violence • Bullying • Sexual harassment • Inadequate complaint handling processes • Poor consultation practises Factors that expose some workers to Psychosocial Harm Employers should look to engage in con- versations with their workers in order to identify individual workers factors that may require additional supports. Some factors may increase the likelihood of a worker experiencing psychosocial CENTRAL COAST BUSINESS REVIEW AUGUST 2021